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DETAILED ACTION 

1 . This action is responsive to amendment received July 28, 2008. Claims 1,6,10, 
14, 18 and 26-27 were amended. Claim 4 was canceled. Claims 1-3 and 5-26 are 
pending examination. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

2. Claims 1-3 and 5-27 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Hurst et al., U.S. Patent No. 7,200,867 (referred to hereafter as Hurst). 

As to claim 1 , Hurst teaches a communication gateway apparatus to be coupled 
between a server and a client, comprising: 

a reception unit configured to receive a content transferred from the server to the 
client (see col. 3 lines 53-61 , security system 100 located between client computer and 
target server); 

an extraction unit configured to extract a script program from the received 
content (see col. 3 lines 62-67 and col. 4 lines 1-8); 
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a storage to store transfer destination information representing a plurality of 
transfer destinations designated as authentic (see col. 4 lines 10-35, the extracted links 
are compared to a database of accepted urls); 

an inspection unit configured to inspect the script program to detect that the 
script program has a function of transferring any one of information stored in the client 
and the received content, thereby identifying at least one transfer destination of the 
information (see col. 4 lines 10-67); 

a determination unit configured to determine whether or not transfer of the 
content is permitted, by collating the identified transfer destination of the information 
with the plurality of transfer destinations of the destination information; and a 
transmission unit configured to transmit the content to the client only when the 
determination unit determines that transfer is permitted (see col. 4 lines 10-67, the 
system determines if the links to the pages are checked to determine if the transfer of 
the page is safe or not); 

wherein the information includes cookie information held in a browser running in 
the client (see col. 7 lines 1-17, instructions include information such as whether to add, 
modify or not to send cookie from user browser). 

As to claim 2, Hurst teaches the apparatus according to claim 1, wherein the 
inspection unit identifies a plurality of transfer destinations of the information, and 
wherein the determination unit determines that transfer is permitted only if all the 
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transfer destinations of the information are within the plurality of transfer destinations of 
the destination information (see col. 4 lines 10-67). 

As to claim 3, Hurst teaches the apparatus according to claim 1 , wherein the 
inspection unit is further configured to output, if the transfer destination of the 
information is unidentifiable, an arbitrary transfer destination, and the determination unit 
determines that transfer of the content is not permitted (see col. 4 lines 10-67). 

As to claim 4, Hurst teaches the apparatus according to claim 1 , wherein the 
information includes cookie information held in a Web browser running in the client (see 
col. 3 lines 33-52). 

As to claim 5, Hurst teaches the apparatus according to claim 1, wherein the 
destination information includes any one of a list of permitted URLs and regular 
expressions (see col. 4 lines 21-45). 

As to claim 6, Hurst teaches a communication gateway apparatus to be coupled 
between a server and a client, comprising: 

a reception unit configured to receive a content having an input form and 
transferred from the server to the client; an extraction unit configured to extract a script 
program from the received content (see col. 3 lines 53-61, security system 100 located 
between client computer and target server); 
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a storage to store transfer destination information representing a plurality of 
transfer destinations designated as authentic (see col. 4 lines 10-35, the extracted links 
are compared to a database of accepted urls); 

an inspection unit configured to inspect the script program to detect that the 
script program has a function of changing a transmission destination of the input form, 
thereby identifying at least one changed transfer destination of the input form; a 
determination unit configured to determine whether or not transfer of the content is 
permitted, by collating the changed transfer destination of the input form with the 
plurality of transfer destinations of the destination information (see col. 4 lines 10-67); 
and 

a transmission unit configured to transmit the content to the client only when the 
determination unit determines that transfer is permitted (see col. 4 lines 10-67, the 
system determines if the links to the pages are checked to determine if the transfer of 
the page is safe or not). 

Claims 7-13, 15-17 and 19-21 have similar limitations as claims 1-6, 14 and 18 
and therefore are rejected for similar reasons. 

As to claim 14, Hurst teaches a communication gateway apparatus to be coupled 
between a server and a client, comprising: 

a reception unit configured to receive a content having a form and transferred 
from the server to the client (see col. 3 lines 53-61 , security system 100 located 
between client computer and target server); 



Application/Control Number: 10/808,564 Page 6 

Art Unit: 2457 

an extraction unit configured to extract a script program from the received 
content (see col. 3 lines 62-67 and col. 4 lines 1-8); 

a storage to store request destination information representing a plurality of 
request destinations designated as authentic (see col. 4 lines 10-35, the extracted links 
are compared to a database of accepted urls); 

an inspection unit configured to inspect the script program to detect that the 
script program has a function of requesting an external content having an input form to 
be inserted within the form, thereby identifying at least one request destination of the 
external content (see col. 4 lines 10-67); 

a determination unit configured to determine whether or not transfer of the 
content is permitted, by collating the identified request destination of the external 
content with the plurality of the request destinations of the destination information; and a 
transmission unit configured to transmit the content to the client only when the 
determination unit determines that transfer is permitted (see col. 4 lines 10-67, the 
system determines if the links to the pages are checked to determine if the transfer of 
the page is safe or not). 

As to claim 18, Hurst teaches a communication gateway apparatus to be coupled 
between a server and a client, comprising: 

a reception unit configured to receive a content transferred from the server to the 
client (see col. 3 lines 53-61 , security system 100 located between client computer and 
target server); 
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an extraction unit configured to extract a script program from the received 
content (see col. 3 lines 62-67 and col. 4 lines 1-8); 

a storage to store transfer destination information representing a plurality of 
transfer destinations designated as authentic (see col. 4 lines 10-35, the extracted links 
are compared to a database of accepted urls); 

an inspection unit configured to inspect the script program to detect that the 
script program has a function of adding an input form to the received content, and a 
function of transferring the input form, thereby identifying at least one transfer 
destination of the input form (see col. 4 lines 10-67 and col. 6 lines 58-67); 

a determination unit configured to determine whether or not transfer of the 
content is permitted, by collating the identified transfer destination of the information 
with the plurality of transfer destinations of the destination information; and a 
transmission unit configured to transmit the content to the client only when the 
determination unit determines that transfer is permitted (see col. 4 lines 10-67, the 
system determines if the links to the pages are checked to determine if the transfer of 
the page is safe or not). 

As to claim 22, Hurst teaches the apparatus according to claim 1 , further 
comprising: a document generation unit configured to generate a document by partially 
executing the extracted script program, and wherein the extraction unit further extracts 
another script program to be inspected from the document (see col. 5 lines 45-67). 
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As to claim 23, Hurst teaches the apparatus according to claim 1 , wherein when 
the determination unit determines that transfer is not permitted, the transmission unit 
transmits an error content to the client instead of the received content. 

As to claim 24, Hurst teaches the apparatus according to claim 1 , wherein when 
the determination unit determines that transfer is not permitted, the transmission unit 
transmits a message notifying that transfer is not permitted, to an account of an 
administrator (see col. 5 lines 45-67). 

As to claim 25, Hurst teaches the apparatus according to claim 24, wherein the 
transmission unit adds at least the received content to the message and transmits the 
message (see col. 5 lines 45-67). 

As to claim 26, Hurst teaches a method of affording security of communication 
between a vulnerable server and a client, comprising: receiving a content transferred 
from the vulnerable server; extracting a script program from the received content; 
inspecting the script program to identify a transfer destination of information, where 
transferring the information is caused by the client executing the script program; 
collating the identified transfer destination of the information with a permitted transfer 
destination list; and transmitting the received content to the client only if the identified 
transfer destination of the information is within the permitted transfer destination list, so 
as to prevent the information from illicitly transferring to a malicious server (see col. 3 
lines 24-col. 4 lines 67). 
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As to claim 27, Hurst teaches a computer program product for affording security 
of communication between a vulnerable server and a client, comprising: means for 
instructing a computer to receive a content transferred from the vulnerable server; 
means for instructing the computer to extract a script program from the received 
content; means for instructing the computer to inspect the script program to identify a 
transfer destination of information, where transferring the information is caused by the 
client executing the script program; means for instructing the computer to collate the 
identified transfer destination of the information with a permitted transfer destination list; 
and means for instructing the computer to transmit the received content to the client 
only if the identified transfer destination of the information is within the permitted transfer 
destination list, so as to prevent the information from illicitly transferring to a malicious 
server (see col. 3 lines 24-col. 4 lines 67). 

Response to Arguments 

3. Applicant's arguments have been fully considered but are not persuasive. 
Applicant argues in substance that Hurst does not teach a cookie information held in the 
client web browser. 

In response, Hurst teaches a system and method for web security analysis 
system for detecting security vulnerabilities (see abstract). Hurst explicitly teach that 
cookies are analyzed to determine whether the cookie has information such as whether 
to add, modify or not to send cookie information from user browser (see col. 7 lines 1- 
17). Therefore Hurst teaches "the information includes cookie information held in a 
browser running in the client" as claimed. 



Application/Control Number: 10/808,564 Page 10 

Art Unit: 2457 

4. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HUSSEIN A. EL CHANTI whose telephone number is 
(571)272-3999. The examiner can normally be reached on Mon-Fri 8:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on (571 )272-4001 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
Hussein Elchanti 
Oct. 21 , 2008 
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